RESPECTING PRIVACY LAWS AND PATIENT CONFIDENTIALITY

Excellence in Action

Objectives of this Presentation

To explain the HIPAA Law and its background, including: What information is protected Who is required to follow HIPAA Laws Consequences for violating patient privacy Examples of HIPAA violations How to remain in compliance with the laws Reporting breaches of privacy

To provide scenarios for deeper understanding of the law

Introduction to the HIPAA Privacy Laws

HIPAA

The Health Insurance Portability and Accountability Act

HIPAA protects: Security and privacy of all medical

records Health information used or shared

in any form Patients’ rights

Gives patients access to their information and control over its use

What is at stake: Privacy of care Security of personal health

information (PHI) to avoid medical identity theft

Electronic health records Computerized physician orders

HIPAA Protects Personal Health Information (PHI)

PHI is information that relates to: Patients’ health Care provided to patients Payment for care provided

Information that can be used to identify the patient Name Address Birthday Social security number Medical record number

PHI is protected in every form Spoken Electronic Written

Any PHI must be kept confidential unless authorized by the patient or someone acting on patient’s behalf Unless permitted by

HIPAA

Covered Entities

Entities required by law to follow HIPAA rules

Facilities that provide or bill for medical care and services Hospitals Nursing (long-term or geriatric)

facilities Physician offices

Organizations that pay for care or process care financial and administrative information Insurance/claims/billing

companies Health care clearing houses Associates and administrators

working for these organizations

Consequences for Violating HIPAA Rules

TerminationSuspensionCriminal penalties

$50,000-$1.5 million fines

Up to 10 years of imprisonment

Civil penalties Fines ranging from $100-

$25,000 per violation More fines for multiple-

year violations

Insurance Companies Laboratory Technicians

Insurance companies need to access PHI to process claims

Sharing this information with a patient’s employer would be a violation of HIPAA regulations Employers do not need to

know patients’ PHI

Physicians and nurses need full access to patients’ health records to provide care

Lab technicians only need to perform tests the physicians ordered Looking into the patients’

PHI would violate HIPAA rules

Examples of HIPAA Violations

Physicians and Nurses

Everyone wants medical privacy

Using their position to access records they do not need to do their job Accessing coworkers’ records Accessing records of

celebrities Accessing PHI of family

members they are not treatingAccessing records for

personal gain To gossip Curiosity

Examples of HIPAA Violations

Scenario 1: The Intern

Anna is an intern at the University of Idaho’s Pain Clinic. She does not have access to medical information but sees patients and hears about their medical conditions. Can she discuss these patients with her coworkers, friends, or family?

To follow the HIPAA privacy rules, Anna cannot discuss any patient information with anyone unless it is required for her job.

However, Anna can talk with others about the patients if she omits information that personally identifies the patients.

Scenario 2: The Celebrity

Chris, a nurse in Overlake Hospital’s Emergency Department, just saw Oprah Winfrey enter the hospital with intense abdominal pain. He wants to check on the celebrity so he can tell his friends why she was admitted. Can Chris ask his friend Sandy (in admitting) to look up Oprah’s room number?

Under HIPAA, checking on Oprah would be a breach of privacy. Knowledge of Oprah’s medical condition is not required for Chris to perform his job duties, and he is only interested in her condition for personal gain.

How would Chris feel if everyone gossiped about his abdominal pain?

Respecting Patient Privacy

To remain in compliance with HIPAA laws: Healthcare providers should give patients a Notice of

Privacy Practices (NOPP) Illustrates how the care provider will use the patients’

PHI Tells patients their privacy rights Allows PHI to be used for treatment, payment, and

operations Covered entities must only access the minimum

amount of PHI necessary to perform their job duties

Respecting Patient Privacy

Ways to protect PHI include: Being aware of your surroundings when talking about

PHI Leaving telephone messages that include no PHI Ask yourself, “What if people were discussing my PHI

like this?” Check work areas to ensure no PHI is left unattended Seal envelopes very well before sending Dispose of PHI in secured bins for destruction On the computer

Use (and regularly reset) passwords Do not leave computer unattended

Examples of Privacy Breaches

Talking too loudly in public areas

Emails or faxes sent to the wrong person, address, or phone number

Failure to log off of computers (allowing others to access database)

Loss, theft, or improper disposal of items containing PHI Paper, mail Films, charts CDs, flash drives

Unprotected computer systems being hacked into

HIPAA Breaches Nationwide

Report ImmediatelyNo Retaliation for Reporting

Report to your direct supervisor: Stolen or missing devices

containing PHI Suspicious behavior

State laws require that privacy breach incidents be reported to the state’s Department of Public Health within a few days

Under HIPAA, covered entities cannot retaliate against employees for reporting privacy breaches

Reporting HIPAA Violations

Resources

HBVideocast. (n.d.). “Health Information Privacy”. Retrieved August 2, 2013 from http://www.youtube.com/watch?v=TSvh5kkZskU.

The Regents of University of California. (2011). “HIPAA 101: Privacy and Security Training”. Retrieved August 2, 2013 from http://hipaa.ucsf.edu/education/downloads/HIPAA101Training.pdf.

U.S. Department of Health and Human Services. (n.d.). Summary of the HIPAA Privacy Rule. Retrieved August 2, 2013 from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/.